// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of June 30, 2025
Signal Brief · Archived

Week of June 30, 2025

2025-06-30 — 2025-07-06 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of June 30, 2025, ColdRecon logged 5 public endpoint-security events from open-source reporting — 4 research pocs, 1 vuln disclosure. Vendors in the record this week: FreeBSD.

The Week's Public Record

Events

2025-07-05
research poc
Research PoC Demonstrates EDR Evasion Using BYOVD and KDMapperBYOVD+KDMapper
A security researcher published a proof-of-concept demonstrating how to evade endpoint detection and response (EDR) systems by loading a signed vulnerable driver using the KDMapper tool. The technique leverages the Bring Your Own Vulnerable Driver (BYOVD) method to gain kernel-level access and bypass security monitoring. This highlights ongoing risks from vulnerable signed drivers in endpoint security.
2025-07-05
vuln disclosure
AI-Discovered and Exploited FreeBSD Remote Kernel RCE (CVE-2026-4747)CVE-2026-4747
CVE-2026-4747 is a remote kernel code execution vulnerability in FreeBSD's RPCSEC_GSS implementation. It was discovered by Nicholas Carlini using Claude, and later Claude autonomously developed a working exploit in approximately 8 hours. The exploit achieves a root reverse shell via a stack overflow leading to ROP and shellcode execution.
2025-07-04
research poc
NGP: Novel Shellcode Reconstruction Technique Evades Signature-Based DetectionNGP (Native Gadget Programming)
Security researcher 'therustymate' published a proof-of-concept technique called Native Gadget Programming (NGP) that reconstructs shellcode at runtime from byte fragments found in legitimate Windows system files. The dropper contains only metadata (file paths, offsets, lengths) rather than the shellcode itself, evading static signature-based detection by AV/EDR. This research demonstrates a new method to bypass endpoint security products that rely on file scanning.
2025-07-03
research poc
Research Demonstrates EDR Evasion by Injecting Unhooked ntdll CopyEDR Unhooking via Fresh ntdll Injection
A researcher details a technique to evade EDR userland hooks by creating a section object from a clean ntdll.dll, mapping it into a target process, and using its unhooked system calls. This bypasses EDR monitoring that relies on patching ntdll in each process. The method allows attackers to execute syscalls that appear normal to the EDR.
2025-07-01
research poc
New Android App Detects Play Integrity Bypass Modules and Root Hiding ToolsplayIntegrityFixDetector
A security researcher released an open-source Android application that detects modifications and bypasses targeting the Google Play Integrity API. The app uses native C++ code with a custom bytecode VM and obfuscation to identify root-hiding modules, key attestation spoofing, and debugging tools. This provides a proof-of-concept for detecting advanced Android tampering techniques that could be used to evade endpoint security checks.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →